Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe
Resource
win10v2004-20231215-en
General
-
Target
af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe
-
Size
216KB
-
MD5
3b957a9f74d88a952a5b5bb187e012bb
-
SHA1
7d3a1d8a9b61eb9a93ad8b32f90db48f05e1e168
-
SHA256
022dee1625c30fc17cfc0be7681c1866968c07378d14426da47e641caacdf00d
-
SHA512
401cd8b27d1196fbb9ffd4082219f2c8eda07864e67be3c8d3c5e7bbc40c622797314d0d3ed4be9d185b5ed8e6a48b951c66ea08e9718e12b3cf9dba6f9aa574
-
SSDEEP
3072:m17DaAz38w3vM7F6PFwgBZTGFKQ+avVe+gGooSlFC2OLKKZAFEMpo4Iv1k:Gb8FF6Pf2KQ+aVB2fJqh4Id
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\M:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\E: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\Y: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\P: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\S: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\H: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\K: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\Z: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\X: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\T: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\N: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\U: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\O: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\B: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\M: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\W: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\R: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\I: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\A: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\J: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\L: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\V: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe File opened (read-only) \??\Q: af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe -
Modifies boot configuration data using bcdedit 4 IoCs
pid Process 748 bcdedit.exe 1708 bcdedit.exe 2628 bcdedit.exe 2760 bcdedit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\readme.bmp" af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2884 vssadmin.exe 320 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\WallpaperStyle = "0" af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\TileWallpaper = "0" af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2652 WMIC.exe Token: SeSecurityPrivilege 2652 WMIC.exe Token: SeTakeOwnershipPrivilege 2652 WMIC.exe Token: SeLoadDriverPrivilege 2652 WMIC.exe Token: SeSystemProfilePrivilege 2652 WMIC.exe Token: SeSystemtimePrivilege 2652 WMIC.exe Token: SeProfSingleProcessPrivilege 2652 WMIC.exe Token: SeIncBasePriorityPrivilege 2652 WMIC.exe Token: SeCreatePagefilePrivilege 2652 WMIC.exe Token: SeBackupPrivilege 2652 WMIC.exe Token: SeRestorePrivilege 2652 WMIC.exe Token: SeShutdownPrivilege 2652 WMIC.exe Token: SeDebugPrivilege 2652 WMIC.exe Token: SeSystemEnvironmentPrivilege 2652 WMIC.exe Token: SeRemoteShutdownPrivilege 2652 WMIC.exe Token: SeUndockPrivilege 2652 WMIC.exe Token: SeManageVolumePrivilege 2652 WMIC.exe Token: 33 2652 WMIC.exe Token: 34 2652 WMIC.exe Token: 35 2652 WMIC.exe Token: SeIncreaseQuotaPrivilege 2652 WMIC.exe Token: SeSecurityPrivilege 2652 WMIC.exe Token: SeTakeOwnershipPrivilege 2652 WMIC.exe Token: SeLoadDriverPrivilege 2652 WMIC.exe Token: SeSystemProfilePrivilege 2652 WMIC.exe Token: SeSystemtimePrivilege 2652 WMIC.exe Token: SeProfSingleProcessPrivilege 2652 WMIC.exe Token: SeIncBasePriorityPrivilege 2652 WMIC.exe Token: SeCreatePagefilePrivilege 2652 WMIC.exe Token: SeBackupPrivilege 2652 WMIC.exe Token: SeRestorePrivilege 2652 WMIC.exe Token: SeShutdownPrivilege 2652 WMIC.exe Token: SeDebugPrivilege 2652 WMIC.exe Token: SeSystemEnvironmentPrivilege 2652 WMIC.exe Token: SeRemoteShutdownPrivilege 2652 WMIC.exe Token: SeUndockPrivilege 2652 WMIC.exe Token: SeManageVolumePrivilege 2652 WMIC.exe Token: 33 2652 WMIC.exe Token: 34 2652 WMIC.exe Token: 35 2652 WMIC.exe Token: SeBackupPrivilege 1260 vssvc.exe Token: SeRestorePrivilege 1260 vssvc.exe Token: SeAuditPrivilege 1260 vssvc.exe Token: SeIncreaseQuotaPrivilege 2732 WMIC.exe Token: SeSecurityPrivilege 2732 WMIC.exe Token: SeTakeOwnershipPrivilege 2732 WMIC.exe Token: SeLoadDriverPrivilege 2732 WMIC.exe Token: SeSystemProfilePrivilege 2732 WMIC.exe Token: SeSystemtimePrivilege 2732 WMIC.exe Token: SeProfSingleProcessPrivilege 2732 WMIC.exe Token: SeIncBasePriorityPrivilege 2732 WMIC.exe Token: SeCreatePagefilePrivilege 2732 WMIC.exe Token: SeBackupPrivilege 2732 WMIC.exe Token: SeRestorePrivilege 2732 WMIC.exe Token: SeShutdownPrivilege 2732 WMIC.exe Token: SeDebugPrivilege 2732 WMIC.exe Token: SeSystemEnvironmentPrivilege 2732 WMIC.exe Token: SeRemoteShutdownPrivilege 2732 WMIC.exe Token: SeUndockPrivilege 2732 WMIC.exe Token: SeManageVolumePrivilege 2732 WMIC.exe Token: 33 2732 WMIC.exe Token: 34 2732 WMIC.exe Token: 35 2732 WMIC.exe Token: SeIncreaseQuotaPrivilege 2732 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2980 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 29 PID 3044 wrote to memory of 2980 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 29 PID 3044 wrote to memory of 2980 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 29 PID 3044 wrote to memory of 2744 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 30 PID 3044 wrote to memory of 2744 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 30 PID 3044 wrote to memory of 2744 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 30 PID 3044 wrote to memory of 2132 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 31 PID 3044 wrote to memory of 2132 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 31 PID 3044 wrote to memory of 2132 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 31 PID 3044 wrote to memory of 2656 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 32 PID 3044 wrote to memory of 2656 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 32 PID 3044 wrote to memory of 2656 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 32 PID 2980 wrote to memory of 2884 2980 cmd.exe 37 PID 2980 wrote to memory of 2884 2980 cmd.exe 37 PID 2980 wrote to memory of 2884 2980 cmd.exe 37 PID 2744 wrote to memory of 2652 2744 cmd.exe 38 PID 2744 wrote to memory of 2652 2744 cmd.exe 38 PID 2744 wrote to memory of 2652 2744 cmd.exe 38 PID 2132 wrote to memory of 748 2132 cmd.exe 40 PID 2132 wrote to memory of 748 2132 cmd.exe 40 PID 2132 wrote to memory of 748 2132 cmd.exe 40 PID 2656 wrote to memory of 1708 2656 cmd.exe 41 PID 2656 wrote to memory of 1708 2656 cmd.exe 41 PID 2656 wrote to memory of 1708 2656 cmd.exe 41 PID 3044 wrote to memory of 2088 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 46 PID 3044 wrote to memory of 2088 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 46 PID 3044 wrote to memory of 2088 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 46 PID 3044 wrote to memory of 2916 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 48 PID 3044 wrote to memory of 2916 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 48 PID 3044 wrote to memory of 2916 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 48 PID 3044 wrote to memory of 2888 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 49 PID 3044 wrote to memory of 2888 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 49 PID 3044 wrote to memory of 2888 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 49 PID 3044 wrote to memory of 2912 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 50 PID 3044 wrote to memory of 2912 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 50 PID 3044 wrote to memory of 2912 3044 af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe 50 PID 2088 wrote to memory of 320 2088 cmd.exe 54 PID 2088 wrote to memory of 320 2088 cmd.exe 54 PID 2088 wrote to memory of 320 2088 cmd.exe 54 PID 2912 wrote to memory of 2760 2912 cmd.exe 56 PID 2912 wrote to memory of 2760 2912 cmd.exe 56 PID 2912 wrote to memory of 2760 2912 cmd.exe 56 PID 2888 wrote to memory of 2628 2888 cmd.exe 55 PID 2888 wrote to memory of 2628 2888 cmd.exe 55 PID 2888 wrote to memory of 2628 2888 cmd.exe 55 PID 2916 wrote to memory of 2732 2916 cmd.exe 57 PID 2916 wrote to memory of 2732 2916 cmd.exe 57 PID 2916 wrote to memory of 2732 2916 cmd.exe 57 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe"C:\Users\Admin\AppData\Local\Temp\af38ed0887dd21b6fc1563d9f640086e9902434b50b66833136348e334cba4cf.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\bcdedit.exebcdedit / set{ default } recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\bcdedit.exebcdedit / set{ default } bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\bcdedit.exebcdedit / set{ default } recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\bcdedit.exebcdedit / set{ default } bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b05e32b7e78e82f01f6f0c7d1411ee67
SHA12e1dda46f8561858b378d19a24b839062f794274
SHA256f058bc2a88431119f286f2708751f25449dc1d58e1c87de3bb38aff764c814a8
SHA5126cb7c842a48b9f982ac87280ded95e206e2b9055f9f51ea84f6060470a61a35decbb688650c0d6b7c318df018078af0c0a1afe0ce65db1b460d75ae7800e2d3c